Edit: As I am asked to clarify this question I will state it in one sentence: What is a good lockout policy for web applications, why, on what does it depend?
It is hard to find a best practice regarding account lockout policies. Windows suggests locking an account after 4 to 10 failed attempts
PCI uses the following minimum criteria:
- User accounts are temporarily locked-out after not more than six invalid access attempts.
- Once a user account is locked out, it remains locked for a minimum of 30 minutes or until a system administrator resets the account.
Drupal has the following defaults which are still used today:
Drupal 7 prevents brute force attacks on accounts. It blocks login b y a user that has more than 5 failed login attempts (within six hours) or an IP address that has more than 50 failed login attempts (within one hour).
Does anyone have any other best practices I can add? I would like to have an open discussion on the subject and try to find one set of guidelines for a decent lockout policy that balances security, usability, denial of service.